Regulatory Mandates are Proliferating faster than Organizations Can Ramp up to Meet the new Requirements. So How do I get Ahead of the Curve?
Benjamin Franklin was quoted as saying, “an ounce of prevention is worth a pound of cure”. Seems like good advice, easy to follow and obvious, so why is it so hard to achieve in the business of IT? Would you rather bring your car in for regular maintenance, or have the engine freeze in the middle of nowhere, at night, with no help in sight. Easy answer and most of us take better care of our cars than we do our It infrastructure, but it’s not for lack of interest. It comes down to a trade off – what am I going to focus on today? The urgent fires popping up all around me? Or the strategic investment I need to make in the best interests of the business. Unfortunately the “urgent” items win almost 100% of the time.
Most organizations understand the risks associated with non-compliance – failing audits and paying fines are not things that move the business forward. Then again, you could argue passing audits doesn’t move the business forward either! But it’s a fact of life and something we all need to address. A recent survey stated 44% of organizations are in “fire-fighting” mode when it comes regulatory audits and it drives critical resources away from strategic priorities. Organizations routinely jump into an “all hands on deck” mentality, focusing on the urgent and preventing CIOs and their teams from completing strategic projects that would help them meet their company’s business goals. Getting more strategic about your risk and compliance approach may appear hard, costly and out of reach, but it is easier than you think.
Ensuring your organization remains secure and compliant is one of those “ounce of prevention” moments. Yes, if not set up correctly, getting in control, getting compliant, can be time consuming and challenging. Regulatory mandates are proliferating faster than organizations can ramp up to meet the new requirements. So what is the answer? How do I get ahead of the curve?
An Ounce of Prevention
• Demand automation
• Take a “Big Appetite” strategic solution approach
• Implement the “Small Bite” tactical approach
Demand Automation
With the amount of regulations worldwide, there is no possible way you can remain compliant with out some kind of automated solution. In fact, there are already more than 400 compliance mandates worldwide, and 50% of companies have to comply with 10 or more regulations annually. Annual PCI audits and quarterly SOX reports tend to cause the most pain these day, but don’t fall into the trap of focusing on an individual regulation or audit. Trying to handle regulations “one by one” is a recipe for disaster. For example, I recently spoke with one company taking this approach and found out there are spending 18-20% of their operations budget solely on audits. Ouch!
When you realize that all regulations are asking you to address 80+% of the same IT controls and processes, then you understand the enormous payback of automation. To rely on manual processes or disparate point products is simply no longer an option. Without a truly automated compliance solution, companies are spending far more on operational costs than is necessary and putting themselves at great risk. Sadly, what prompts many companies to take a different approach to compliance is when they fail an audit and incur a substantial fine. There is no ROI on an imposed fine. Look for a complete compliance solution – one that not only automates IT controls and gets you compliant, but also monitors and prevents change after the audit so that you don’t have to repeat the process every time.
Take a “Big Appetite” Strategic Solution Approach
Protecting intellectual property, customer data, and employee information is vitally important to business success today. Not only because it helps preserve a competitive advantage, but also because, the world over, the law is increasingly requiring it.
When designing your full solution for risk and compliance, step back to see the big picture and design without limits – take a “big appetite” approach. While you may not be able to implement everything (at least in the short term), this approach will help you uncover edge cases and ideas that you normally would have missed if you just focus on the urgent and immediate. Plus the final design may surprise you in how achievable it actually is.
No one starts with a clean slate – organizations have made investments in products and solutions over the years, investments they would prefer to leverage. Many of these point products are best-in-class, they solve customer challenges around change management, auditing, reporting, whitelisting, etc. While good, these point products usually force their own systems requirements and separate management consoles leaving companies to bear the burden of specialized resources and additional operating expenses to manage and monitor compliance mandates.
Decide which of these point products are still worth leveraging and design them into your overall solution. Choose a management approach that can integrate with the existing products and import the data associated with those products. You don’t want to be left choosing between a series of manual workarounds that quickly bury IT staff or a technical integration nightmare that has you writing blank checks to professional service firms.
Take a solution-based approach to compliance by leveraging the power of integrated product sets. The products are more efficient and create more value if they can be managed under a single console. The burden of managing just another point product to satisfy a single need or requirement is a concept that should be retired.
Implement the “Small Bite” Tactical Approach
“Don’t put off until tomorrow, what you can do today”
If you spent the time to design the right solution, then you can implement it in “small bites”. You will never be given unlimited time and budget to put all the business projects on hold while you automation a compliance solution, so you need to implement in stages. There are many paths you can take, but here’s one possible approach.
Set up change monitoring on your systems and databases first. This gives you an initial indication of the types and frequency of changes happening in your environment and lets you analyze what changes are acceptable and which ones you need to control or stop. From here you can also determine optimized or “gold” configurations of your servers and databases so that you have a standard bar to measure against.
Implement automated change policies and prevention rules to shut down risky or inappropriate changes that you discovered in the prior step. You can take it a step further by integrating this into your change management system so that certain changes are automatically approved, others are automatically prevented, and some start a work-flow process to determine if they should be allowed to proceed.
Next, start to automate IT controls according to the regulations and internal governance you need to comply with. You can begin by importing the benchmarks from the frameworks you need to adhere to – look for a compliance solution that will do this automatically. You might want to automate the controls for a particular regulation audit that is coming up. And after that audit try it for the next regulation. You’ll find you already had most of the controls automated because of the overlap between regulations. Each one will be come easier.
Finally, set up the automated reports and management views you want to monitor and maintain compliance. There are many standard reports, but you can customize a lot of this to meet your business needs. Likewise, you can set up automated reports and emails that can be generated on a regular basis with the appropriate reports being sent to different layers of management.
Results
I have worked with companies who have taken this approach and reduced their spend on audits and compliance by 40% over what they were spending prior in a manual “one off” approach. In addition, I’ve seen external auditors accept internal audit reports from companies that have this kind of refined automated process, and those companies end up saving millions in auditor fees. It can be done.
So it’s not if, but when should you invest in an automated, comprehensive compliance solution. The risk and dollars are too high not to. Consider this, in that same survey, over 50% of all organizations indicated they have failed a regulation audit, and approximately 10% have paid fines. Those numbers have a direct impact on a company’s bottom line. Organizations realize that compliance is a strategic initiative. It is targeted to be the main budget driver for 25% of IT Security projects in 2011.
Security and compliance challenges are expanding rapidly. For companies to remain secure and complainant in such a market place requires forward thinking strategies that move beyond the daily fire-fight. Getting off the manual, point product bus and choosing to ride the continuous compliance bullet train is the first step in taking Benjamin Franklin’s advice.
